📚 Documentation 💠 Hub 💬 Discourse

cs-firewall-bouncer

Crowdsec bouncer written in golang for firewalls.

cs-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.

Supported firewalls:

• iptables (IPv4 ✔️ / IPv6 ✔️ )
• nftables (IPv4 ✔️ / IPv6 ✔️ )

Installation

Assisted

First, download the latest cs-firewall-bouncer release.

$ tar xzvf cs-firewall-bouncer.tgz
$ sudo ./install.sh

From source

Run the following commands:

git clone https://github.com/crowdsecurity/cs-firewall-bouncer.git
cd cs-firewall-bouncer/
make release
tar xzvf cs-firewall-bouncer.tgz
cd cs-firewall-bouncer-v*/
sudo ./install.sh

Configuration

Before starting the cs-firewall-bouncer service, please edit the configuration to add your API url and key. The default configuration file is located under : /etc/crowdsec/cs-firewall-bouncer/

$ vim /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml

mode: iptables
piddir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: <API_URL>  # when install, default is "localhost:8080"
api_key: <API_KEY>  # Add your API key generated with `cscli bouncers add --name <bouncer_name>`

You can then start the service:

sudo systemctl start cs-firewall-bouncer